Solving the Dilemma of State Responses to Cyberattacks

Contents

Full Title of Reference

Solving the Dilemma of State Responses to Cyberattacks: A Justification for the use of Active Defenses Against States Who Neglect Their Duty to Prevent

Full Citation

Matthew J. Sklerov, Solving the Dilemma of State Responses to Cyberattacks: A Justification for the use of Active Defenses Against States Who Neglect Their Duty to Prevent, 201 Mil. L. Rev. 1 (2009). Web

Synopsis

ABSTRACT

The greatest advances in law, like those in science, come through imagination. When scientific knowledge fails to explain new discoveries about the universe, scientists advance new theories to account for their discoveries' so too with the law. Revolutions in technology, like the Internet, challenge the framework that regulates international armed conflict. Legal scholars must use imagination to find ways to tackle this problem. If not, the law will become obsolete and meaningless to the states that need its guidance. Man has long sought to regulate warfare. From the Chivalric Code to the U.N. Charter, man has placed restraints on the times one can resort to war and the methods with which it is conducted. There are a variety of reasons why, but, to generalize, regulations are the response to perceived problems with the state of war at a given time. Sometimes these perceptions are the result of shifts in the social conscience. At other times, values haven't changed at all, but problems arise due to radical changes in the way war is waged. As warfare changes, so must the law; and warfare is changing fast. Traditionally, the instruments of war were only controlled by states. However, in today's world of globally interconnected computer systems, non-state actors with a laptop computer and an Internet connection can attack the critical infrastructure of another state from across the world.
Global connectivity is a double-edged sword. While it provides tremendous benefits to states, it also opens the door to state and non-state actors who wish to attack and disrupt a state’s critical information systems. This is a major paradigm shift, which the law of war, today, fails to adequately address. This paper will explore the unique challenges that cyberattacks pose to the law of war and provide an analytical framework for dealing with them.

THE ATTRIBUTION PROBLEM

The current legal paradigm, which requires attribution to a state or its agents, perpetuates the response crisis because it is virtually impossible
to attribute a cyberattack during an attack. Although states can trace the cyberattack back to a computer server in another state, conclusively
ascertaining the identity of the attacker requires an intensive, time-consuming investigation with assistance from the state of origin. Given
the prohibition on responding with force until an attack has been attributed to a state or its agents, coupled with the fact that the vast
majority of cyberattacks are conducted by non-state actors, it should come as no surprise that states treat cyberattacks as a criminal matter.
This “attribution problem” locks states into the response crisis.

In 2008, Georgia traced the cyberattacks against it back to Russia, but could not pin them on its government. Similarly, U.S. officials believed that China
sponsored the 2007 cyberattacks against the Pentagon, but could not prove the link. Following a familiar pattern, Estonia traced the 2007 attacks back to Russia, but could not tie them to the Russian government. Ultimately, in each of these cases, states were unable to solve the attribution problem, which legally limited them from using active defenses and forced them to rely on passive defenses and criminal laws.

Security experts believe that China intentionally ignores the criminal acts of its hackers, buys stolen information from them, and uses them to spy on other states. Meanwhile, Russia has rejected numerous Estonian requests to help track down the attackers responsible for the 2007 cyberattacks. As may be
expected, China and Russia reject these accusations. Still, all of this suggests that state cooperation is offered in name only, that these states
are sponsoring cyberattacks, and that states cannot rely on criminal laws to eliminate the growing cyberthreat.

OUTMODED LAW

Unfortunately, state responses to cyberattacks are governed by an anachronistic legal regime that impairs a state’s ability to defend itself.
No comprehensive treaty exists to regulate international cyberattacks.Consequently, states must practice law by analogy: either equating
cyberattacks to traditional armed attacks and responding to them under the law of war or equating them to criminal activity and dealing with
them as a criminal matter.

The prevailing view of states and legal scholars is that states must treat international cyberattacks as a criminal matter because the law of war forbids states from responding with force unless an attack can be attributed to a foreign state or its agents

This article concludes that states have a right under international law to (1) view and respond to cyberattacks as acts of war and not solely as criminal matters, and (2) use active, not just passive, defenses against the computer networks in other states, that may or may not have initiated an attack, but have neglected their duty to prevent cyberattacks from within their borders.

PASSIVE vs. ACTIVE DEFENSE

Treating cyberattacks as a criminal matter would not be problematic if passive defenses and criminal laws provided sufficient protection from
cyberattacks. Unfortunately, neither is adequate. While passive defenses are always the first line of defense and reduce the chances of a successful
cyberattack, states cannot rely on them to completely secure their critical information systems.

WHAT TO DO

History shows that states will take matters into their own hands when legal means seem inadequate to protect themselves and their citizens.
One can imagine a scenario where a state was subject to a cyberattack so severe that it felt an armed response was required. Given the ease with
which a non-state actor could trigger such a scenario, international law must provide states acceptable legal means to defend themselves. When
states have legal means to resolve their disputes, they are more likely to behave in predictable ways that are accepted by the international
community. Thus, unless the international community wants to risk unpredictable and potentially unacceptable responses to cyberattacks,
international law must adapt to provide states with legal means to effectively defend themselves.

This is not a new thought. Legal scholars are increasingly recognizing that the current legal regime leaves states vulnerable to
cyberattacks and needs to change. However, despite their recognition of the problem, no consensus has emerged on the best way to solve it.

The legal authority for states to use active defenses flows from states’ duty to prevent non-state actors within their borders from
committing cross-border attacks. “It is a long-established principle of international law that ‘a state is bound to use due diligence to prevent the
commission within its dominions of criminal acts against another nation or its people.’” Traditionally, this duty only required states to prevent
illegal acts that the state knew about beforehand; however, this duty has evolved in response to international terrorism to require states to act
against groups generally known to carry out illegal acts. In the realm of cyberwarfare, states must take this duty one step further by requiring
states to enact and enforce criminal laws as the only way to truly prevent cross-border cyberattacks. Otherwise, the current situation that states
face with China and Russia will continue to exist. While no international treaty affirmatively obligates a state to hunt down attackers within its
borders, such as with piracy, reinterpreting the duty of prevention to require states to hunt down attackers will solve the attribution problem
and response crisis. Once this duty is reinterpreted, international law allows victim-states to impute state responsibility to host-states that
neglected this duty, and respond in self-defense. In effect, repeated failure by a state to take criminal action against its attackers will result in
it being declared a sanctuary state, allowing victim-states to use active defenses against cyberattacks originating from within its borders.

Selectively targeting sanctuary states with active defenses will likely provide the added benefit of prompting sanctuary states to take
cyberattacks seriously as a criminal matter. Since no state wants another state acting within its borders, even electronically, this reinterpreted duty
will motivate states to hunt down attackers within their borders and work with victim-states to bring attackers to justice. States who wish to avoid
being the targets of active defenses can easily do so; all they have to do is pass stringent criminal laws, conduct vigorous and transparent criminal
investigations, and prosecute attackers.

PAPER OUTLINE

These conclusions are demonstrated over the next seven parts of this
article. Part I introduces the difficulty of active defense under the current legal regime. Part II provides background on the threat that international
cyberattacks pose to states, the legal problems that states encounter when dealing with them, and why current interpretations of the law of war
actually endanger states. Part III describes cyberattack methods, destructive capabilities, and defenses. Part IV lays out the basic
framework for analyzing armed attacks. Part V explores the challenges that non-state actors present to the basic framework of the law of war.
Part VI analyzes cyberattacks under the law of war. It demonstrates that cyberattacks can qualify as acts of war, that states have a duty to prevent
cyberattacks, and that victim-states have a right to use active defenses against host-states that neglect their duty to prevent cyberattacks. Part
VII examines the choice to use active defenses. It explains why states should use active defenses against cyberattacks, describes the
technological limits to detecting, classifying and tracing cyberattacks, and explores the impact these technological limitations will have on state
decision making. Finally, Part VIII urges states to start using active defenses to protect themselves from cyberattacks originating from states
that neglect their duty to prevent them.

Additional Notes and Highlights

Expertise Required: Law - Moderate; Technology - Low

The author is a Judge Advocate, U.S. Navy. Presently assigned as Staff Judge Advocate, Submarine
Group NINE. LL.M., 2009, The Judge Advocate Gen.’s Legal Ctr. & Sch., U.S. Army,
Charlottesville, Va.; J.D., 2002, Univ. of Tex. Sch. of Law; B.A., 1997, State Univ. of
N.Y. at Binghamton (cum laude); A.A., 1995, State Univ. of N.Y. at Rockland. Previous
assignments include Deputy Command Judge Advocate, U.S.S. Nimitz (CVN 68), 2006–
2008; Command Judge Advocate, Naval Air Station, Kingsville, Tex., 2004–2006; Trial
Counsel, Trial Service Office West, Detachment Bremerton, Wash., 2003–2004.
Member of the bars of Texas, the U.S. District Court for the Southern District of Texas,
the U.S. Court of Appeals for the Armed Forces, and the U.S. Supreme Court. This
article was submitted in partial completion of the Master of Laws requirements of the
57th Judge Advocate Officer Graduate Course.